$7m VelocityCore Exploit POST-MORTEM

This blog provides a comprehensive analysis of the VelocityCore incident, detailing the vulnerabilities exploited, advanced security measures for prevention, and actionable recommendations for Web3 Security researchers, Audit Firms, and smart contract developers.

June 26, 2024

Introduction

The recent VelocityCore incident has underscored the critical need for robust security measures within the Web3 ecosystem. As Web3 Security researchers, Audit Firms, and smart contract developers, understanding the intricacies of such exploits is paramount to safeguarding decentralized platforms. This article delves into the VelocityCore incident, providing an in-depth analysis, examining the vulnerabilities exploited, and exploring advanced security measures to prevent similar occurrences.

Background

On May 31, 2023, VelocityCore, a prominent decentralized finance (DeFi) platform, experienced a significant security breach resulting in the loss of $7.5 million. The exploit targeted the platform’s liquidity pools and smart contracts, exposing vulnerabilities that many had overlooked. The incident highlighted the sophisticated nature of attacks in the DeFi space and the evolving tactics employed by malicious actors.

VelocityCore, which operates on the Ethereum blockchain, uses smart contracts to facilitate decentralized trading, staking, and lending. The platform's rapid growth and complex financial instruments made it an attractive target for hackers. The attackers exploited a combination of smart contract vulnerabilities and manipulation of liquidity pools, resulting in substantial financial loss and undermining user trust.

Detailed Analysis

1. The Exploit Mechanism

The attackers utilized a sophisticated multi-step process to exploit VelocityCore's smart contracts:

A. Flash Loan Attack

Flash loans, which allow users to borrow assets without collateral as long as the loan is repaid within the same transaction, were a key component of the attack. The attackers used a flash loan to borrow a large amount of assets, manipulating the liquidity pools and the price of tokens within the platform.

B. Manipulation of Oracles

The attackers targeted the price oracles, which provide external data to the smart contracts. By manipulating these oracles, they created artificial price fluctuations, enabling them to buy tokens at artificially low prices and sell them at inflated rates.

C. Exploiting Smart Contract Vulnerabilities

The core of the attack involved exploiting a reentrancy vulnerability in one of VelocityCore's smart contracts. This vulnerability allowed the attackers to repeatedly call a function before the initial execution was completed, effectively draining the contract's funds.

2. Technical Breakdown of the Reentrancy Attack

Reentrancy attacks exploit the way smart contracts handle external calls. When a contract makes an external call to another contract, control is transferred to the external contract. If the external contract calls back into the original contract before the initial execution is complete, it can lead to unexpected behaviors and potential exploitation.

Example of a Vulnerable Smart Contract Function:

solidityCode kopieren

function withdraw(uint256 amount) public {
   require(balance[msg.sender] >= amount);
   (bool success, ) = msg.sender.call{value: amount}("");
   require(success);
   balance[msg.sender] -= amount;
}

In this function, the call to msg.sender transfers control to the attacker’s contract, which can then recursively call withdraw again, bypassing the deduction of the balance and draining the contract’s funds.

Mitigation Strategy:

  • Use of checks-effects-interactions Pattern: Ensure that state changes (e.g., updating balances) are made before external calls.
  • Utilize Reentrancy Guards: Solidity provides the ReentrancyGuard modifier to prevent reentrant calls.

solidityCode kopieren

modifier nonReentrant() {
   require(!_entered, "Reentrant call");
   _entered = true;
   _;
   _entered = false;
}

Latest Trends in Web3 Security

1. Enhanced Oracle Security

Price oracles are a critical component of many DeFi platforms, yet they remain a frequent target for attackers. Ensuring the integrity and reliability of oracle data is paramount. Emerging solutions include:

  • Decentralized Oracles: Utilizing multiple data sources to aggregate prices, reducing the risk of manipulation.
  • Oracle Verification Mechanisms: Implementing algorithms to detect and discard outlier data points.
2. Formal Verification of Smart Contracts

Formal verification involves mathematically proving the correctness of smart contracts. By specifying the desired properties of a contract and using formal methods to verify them, developers can ensure that the contract behaves as intended under all possible conditions.

  • Tools and Platforms: Tools like CertiK, OpenZeppelin’s Defender, and MythX are increasingly being adopted for formal verification.
3. Adoption of Multi-Signature Wallets

Multi-signature (multi-sig) wallets require multiple private keys to authorize a transaction. This adds an additional layer of security, particularly for large transactions and contract upgrades.

  • Case Study: The Gnosis Safe is a popular multi-sig wallet solution that has seen widespread adoption in the DeFi community.

Advanced Techniques for Smart Contract Security

1. Static and Dynamic Analysis
  • Static Analysis: Tools like Slither and MythX analyze smart contract code without executing it, identifying potential vulnerabilities such as reentrancy, unchecked external calls, and arithmetic errors.
  • Dynamic Analysis: Tools like Echidna perform fuzz testing, executing the contract with various inputs to detect unexpected behaviors.
2. Layered Security Approaches

Implementing a multi-layered security strategy can significantly enhance the resilience of smart contracts:

  • Input Validation: Strictly validate all inputs to smart contracts to prevent injection attacks.
  • Access Control: Implement role-based access control (RBAC) to limit the functions that can be executed by different users.
  • Rate Limiting: Prevent excessive transactions in a short period, which can mitigate the impact of certain types of attacks.

Case Study: The VelocityCore Incident

Incident Overview:The VelocityCore incident serves as a stark reminder of the complexities and risks associated with DeFi platforms. The attack was executed in three stages: securing a flash loan, manipulating price oracles, and exploiting a reentrancy vulnerability.

Response and Mitigation:Post-incident, VelocityCore implemented several measures to enhance security:

  • Smart Contract Audits: Engaged multiple independent audit firms to review and secure their codebase.
  • Oracle Decentralization: Transitioned to using Chainlink’s decentralized oracles to ensure reliable and tamper-proof data.
  • User Education: Launched initiatives to educate users on security best practices, including recognizing phishing attempts and securing private keys.

Lessons Learned:

  • Comprehensive Security Audits: Regular and thorough audits are crucial to identifying and mitigating vulnerabilities before they can be exploited.
  • Proactive Security Measures: Implementing advanced security features, such as formal verification and multi-sig wallets, can prevent or minimize the impact of attacks.
  • Community Engagement: Building a security-conscious community through education and transparent communication can enhance overall platform security.

Conclusion

The VelocityCore incident underscores the critical importance of robust security measures in the rapidly evolving Web3 landscape. By understanding the mechanisms of such exploits and implementing advanced security techniques, Web3 Security researchers, Audit Firms, and smart contract developers can significantly enhance the resilience and trustworthiness of decentralized platforms.

Recommendations:

  1. Engage in Regular Security Audits: Regularly audit your smart contracts using reputable third-party firms and automated tools.
  2. Implement Multi-Signature Wallets: Use multi-sig wallets for critical transactions and contract upgrades to add an extra layer of security.
  3. Adopt Formal Verification: Utilize formal verification methods to mathematically prove the correctness of your smart contracts.
  4. Enhance Oracle Security: Use decentralized oracles and implement verification mechanisms to ensure the integrity of price data.
  5. Educate Your Community: Foster a security-conscious community through ongoing education and transparent communication.

For further insights on the Web3 security space and details about hacks, join our TRUSTBYTES Discord.

References:

  • Velocity Post-Mortem: https://velocorexyz.medium.com/velocore-incident-post-mortem-6197020ec3e9

Author's image

Jonas